Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <pgpool-hackers-owner+archive@lists.postgresql.org>)
	id 1w7ViF-005OI8-2N
	for pgpool-hackers@arkaria.postgresql.org;
	Tue, 31 Mar 2026 09:48:43 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.96)
	(envelope-from <pgpool-hackers-owner+archive@lists.postgresql.org>)
	id 1w7ViE-009O5L-0I
	for pgpool-hackers@arkaria.postgresql.org;
	Tue, 31 Mar 2026 09:48:42 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <ishii@postgresql.org>)
	id 1w7ViD-009O5D-2z
	for pgpool-hackers@lists.postgresql.org;
	Tue, 31 Mar 2026 09:48:42 +0000
Received: from meldrar.postgresql.org ([2a02:c0:301:0:ffff::31])
	by magus.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.98.2)
	(envelope-from <ishii@postgresql.org>)
	id 1w7ViB-000000029U5-1kda
	for pgpool-hackers@lists.postgresql.org;
	Tue, 31 Mar 2026 09:48:42 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=postgresql.org; s=20171124; h=Content-Transfer-Encoding:Content-Type:
	Mime-Version:References:In-Reply-To:From:Subject:Cc:To:Message-Id:Date:Sender
	:Reply-To:Content-ID:Content-Description;
	bh=mmoQE0FCKrJyf+z152hqwF2vRALngO+Sm0x0LXfdERg=; b=aCn8Cwj5r4i1SMR2iRuLX5/ui2
	892dGN7DbvXPsGzXd9qtwybNrW1Joc0pw+vPy9Opo9sqtFcHpNOMT8mb3I5f4dJ9LRz3tJ/mHyi/Q
	iK0B6Vmc/ratxiLAlJAU9D+8j0Bj+mNYqy8JuxOSjCm2jS326xqKhzimV6AVL7sGZpAOZLivJ2D3X
	BnFpnlYLCf0A1A403Px6c7ZzjSuExReWonFTgw1ad7Z+XtQskYKCJg7aTXxezwcqQbntPSC5Uxdu/
	cvvA6HEVeZECKS/sK826b2O86n12tZHdtR32xL0PGnXk8N6FP6VzBnDBEOAjll/Jv++5sBOkmE0A9
	1FifdQLA==;
Received: from [2409:11:4120:300:da5c:ddfa:43a9:b056] (helo=localhost)
	by meldrar.postgresql.org with esmtpsa  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <ishii@postgresql.org>)
	id 1w7Vi9-008UBG-07;
	Tue, 31 Mar 2026 09:48:39 +0000
Date: Tue, 31 Mar 2026 18:48:32 +0900 (JST)
Message-Id: <20260331.184832.554536681926821839.ishii@postgresql.org>
To: bob.ross.19821@gmail.com
Cc: pgpool-hackers@lists.postgresql.org
Subject: Re: Rotate SSL certificates on reload (SIGHUP) without restart
From: Tatsuo Ishii <ishii@postgresql.org>
In-Reply-To: 
 <CAHtZvrfap1R6+D=KsfE1iPU6_reGaPyf=m_GryEUNrNWe0KYbg@mail.gmail.com>
References: <20260326.170716.601660341897872041.ishii@postgresql.org>
	<20260326.191902.1769703442358463290.ishii@postgresql.org>
	<CAHtZvrfap1R6+D=KsfE1iPU6_reGaPyf=m_GryEUNrNWe0KYbg@mail.gmail.com>
X-Mailer: Mew version 6.8 on Emacs 29.3
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Host-Lookup-Failed: Reverse DNS lookup failed for
 2409:11:4120:300:da5c:ddfa:43a9:b056 (failed)
List-Id: <pgpool-hackers.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgpool-hackers@lists.postgresql.org>
List-Owner: <mailto:pgpool-hackers-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgpool-hackers>
Archived-At: 
 <https://www.postgresql.org/message-id/20260331.184832.554536681926821839.ishii%40postgresql.org>
Precedence: bulk

> Hi Tatsuo,
> 
> I believe no additional changes are needed for healthcheck and streaming
> replication check.
> 
> My patch focuses on the frontend-accept path, where SSL_ServerSide_init()
> maintains a process-wide cached SSL_frontend_context reused across incoming
> TLS handshakes, and therefore must be explicitly refreshed on reload.
> 
> In contrast, the health check (src/main/health_check.c) and the SR check
> worker (src/streaming_replication/pool_worker_child.c) establish outgoing
> connections to PostgreSQL backends via pool_ssl_negotiate_clientserver().
> This invokes init_ssl_ctx() for each new connection, creating a fresh
> SSL_CTX and reading SSL-related settings (ssl_cert, ssl_key, ssl_ca_cert,
> etc.) directly from pool_config at connection time. There is no long-lived
> SSL context to refresh in these processes.
> 
> Given that the SSL configuration parameters are now marked as CFGCXT_RELOAD
> in src/config/pool_config_variables.c, a SIGHUP causes both processes to
> reload pool_config via their respective reload_config() functions. As a
> result, subsequent outgoing backend connections will naturally pick up the
> updated certificate settings.

Thank you for the explanation. Yes, health check and SR check worker
establish connection to backend every time they need. I should have
remembered that.

I am going to write a regression test for this feature unless you are
willing to work on it.

Regards,
--
Tatsuo Ishii
SRA OSS K.K.
English: http://www.sraoss.co.jp/index_en/
Japanese:http://www.sraoss.co.jp